The first piece of malware designed to run on Apple’s new M1 processor has been found.
A new report from Wired cited a blog post from Mac security researcher Patrick Wardle, who discovered that Safari adware made for Intel CPUs had been updated for Apple silicon, and reported that Red Canary is also “investigating an example of native M1 malware.”
The malware, called GoSearch 22, is adware that hijacks browser search results, injects ads and might possibly also steal data. It often comes secretly bundled with free online software. For the moment, its installation is blocked on the most recent versions of macOS, yet that could change.
“Today we confirmed that malicious adversaries are indeed crafting multi-architecture applications, so that their code will natively run on M1 systems,” writes Wardle. “The malicious GoSearch22 application may be the first example of such natively M1 compatible code. The creation of such applications is notable for two main reasons. First (and unsurprisingly), this illustrates that malicious code continues to evolve in direct response to both hardware and software changes coming out of Cupertino.”
Wardle also mentions that anti-virus tools used to detect malware on Apple’s Intel-based Macs failed to detect GoSearch22.app on the M1 models. Perhaps it’s a matter of these anti-virus programs upgrading their database to detect new malware since the native one for M1 Macs is fairly new. Wardle also mentions that since Apple revoked the developer’s certificate, it can no longer run.
“What is not known is if Apple notarized the code,” he writes. “We cannot answer this question, because Apple has revoked the certificate.”
Apple introduced the M1 in November 2020 as the first part of its two-year plan to switch Mac products from Intel processors to Arm-based chips. The chip is currently limited to the latest models of the MacBook Air, MacBook Pro, and Mac mini.
So what should people with M1-equipped Macs do? Right now the best option is to apply security best practices — remaining wary of unidentified downloads, sketchy websites, etc. — instead of assuming that nobody would bother to target them.